Networking > Router firewall security > Part II: Managing Access to Routers > Chapter 3. Accessing a Router > Example Configuration

Now that you understand some of the basics of authentication and access, take a look at an example that uses some of the ideas discussed in this chapter. This example uses the network shown in Figure 3-4 to illustrate the configuration of the router called Skunk. In this example, there are two administrative machines: 192.168.3.10 and 192.168.3.11. Example 3-19 displays the configuration.

Figure 3-4. Basic Configuration Example

[View full size image]

The two username commands at the beginning of the configuration use MD5 encryption to protect the passwords for the admin1 and techie1 accounts. Admin1 is given level 15 access, and techie1 is given only level 7 access. Notice that the privilege commands below this allow techie1 to execute show and debug commands and the shutdown command on an interface.

Example 3-19. Implementing Many Concepts Covered in This Chapter

Router(config)# username admin1 privilege 15 secret geekyadmin

Router(config)# username techie1 privilege 7 secret

  underpaidoverworked

Router(config)# privilege exec level 7 show

Router(config)# privilege exec level 7 debug

Router(config)# privilege exec level 7 configure

Router(config)# privilege configure level 7 interface

Router(config)# privilege interface level 7 shutdown

Router(config)# line console 0




Router(config-line)# login local

Router(config-line)# exit

Router(config)# line aux 0

Router(config-line)# login local

Router(config-line)# exec-timeout 5 0

Router(config-line)# exit

Router(config)# access-list 1 permit 192.168.3.10

Router(config)# access-list 1 permit 192.168.3.11

Router(config)# line vty 0 4

Router(config-line)# access-class 1 in

Router(config-line)# login local

Router(config-line)# transport input ssh

Router(config-line)# transport output ssh

Router(config-line)# exec-timeout 5 0

Router(config-line)# exit

Router(config)# hostname Skunk

Skunk(config)# ip domain-name quizware.com

Skunk(config)# crypto key generate rsa

The name for the keys will be: Skunk.quizware.com

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]

00:02:25: %SSH-5-ENABLED: SSH 1.5 has been enabled

Skunk(config)# no ip http server

Skunk(config)# no ip http server-secure

Skunk(config)# no snmp-server

Skunk(config)# service password-encryption

Skunk(config)# banner motd $

THIS, THE DEAL GROUP, INC., COMPUTING SYSTEM IS FOR AUTHORIZED

OFFICIAL USE ONLY. Unauthorized use or use for other than official

THE DEAL GROUP, INC. business is a violation of State and Federal LAW



Individuals using this computing system are subject to having all

of their activities on this system monitored and recorded without

further notice. Auditing of users may include keystroke monitoring.



Any individual who uses this system expressly consents to such

monitoring and is advised that information about their use of the

system may be provided to State and Federal law enforcement or

other authorities if evidence of criminal or other unauthorized

activity is found.

$

Skunk(config)# do copy running-config startup-config

Below the last privilege command, I have set up authentication for the console, auxiliary, and VTY lines to use the local authentication database (login local). For both the auxiliary and VTY lines, I have limited their idle timeout to 5 minutes; for the VTY lines, I have restricted Telnet (and SSH) access to only the two administrative PCs. I also have restricted VTY access to SSH with the transport line commands.

Below this begins the configuration to allow SSH access, which gives the two administrators encrypted access to the Skunk router. Notice that you first must assign the router a name (hostname) and a domain name (ip domain-name). Next, you must generate your encryption keys with the crypto key generate rsa command. Even though ACLs are discussed later in the book, make sure that you set up an ACL that allows SSH (TCP 22) but denies Telnet (TCP 23) to the router.

Below the SSH configuration, I have disabled specific services: HTTP, HTTPS, and SNMP. Even though all the passwords I have used (username secret) are encrypted by MD5, I am providing an additional layer of protection by using the service password-encryption command for any other later passwords that I enter that are not encrypted. Finally, I set up a login banner using the banner motd command and saved the configuration.

As you can see, this example is simple and straightforward. However, as you will see throughout the rest of this book, you need to configure many more things on your router, especially a perimeter router, to make it more secure.